SPDX SBOM Package

Confirm the SPDX SBOM contains only allowed packages. By default all packages are allowed. Use the "disallowed_packages" rule data key to provide a list of disallowed packages.

Solution: Update the image to not use any disallowed package.

Confirm the SPDX SBOM contains only packages with explicitly allowed external references. By default all external references are allowed unless the "allowed_external_references" rule data key provides a list of type-pattern pairs that forbid the use of any other external reference of the given type where the reference url matches the given pattern.

Solution: Update the image to use only packages with explicitly allowed external references.

For each of the packages fetched by Hermeto which define externalReferences, verify they are allowed based on the allowed_package_sources rule data key. By default, allowed_package_sources is empty, which means no components with such references are allowed.

Solution: Update the image to not use a package from a disallowed source.

For packages with a PURL type listed in proxy_enabled_purl_types, verify the downloadLocation matches at least one pattern from allowed_proxy_url_patterns. The "proxy_enabled_purl_types" rule data key is a list of PURL type strings (e.g. ["maven", "npm"]). The "allowed_proxy_url_patterns" rule data key is an object mapping each PURL type string to a list of regular expression patterns (e.g. {"maven": ["^https://proxy\\.example\\.com/maven/.*"]}). Packages with downloadLocation set to "NOASSERTION" are skipped. If a PURL type is listed in proxy_enabled_purl_types but has no entry in allowed_proxy_url_patterns, all packages of that type are denied.

Solution: Ensure the proxy URL matches one of the patterns defined in the allowed_proxy_url_patterns rule data for the given PURL type.

Check the list of files in the SPDX SBOM is not empty.

Solution: Verify the SBOM is correctly identifying the files in the image.

Check the list of packages in the SPDX SBOM is not empty.

Solution: Verify the SBOM is correctly identifying the package in the image.

Confirm the SPDX SBOM contains only packages without disallowed attributes. By default all attributes are allowed. Use the "disallowed_attributes" rule data key to provide a list of key-value pairs that forbid the use of an attribute set to the given value.

Solution: Update the image to not use any disallowed package attributes.

Confirm the SPDX SBOM contains only packages without disallowed external references. By default all external references are allowed. Use the "disallowed_external_references" rule data key to provide a list of type-pattern pairs that forbid the use of an external reference of the given type where the reference url matches the given pattern.

Solution: Update the image to not use a package with a disallowed external reference.

Check the SPDX SBOM targets the image being validated.

Solution: The SPDX SBOM associated with the image describes a different image. Verify the integrity of the build system.

Check the SPDX SBOM has the expected format. It verifies the SPDX SBOM matches the 2.3 version of the schema.

Solution: Make sure the build process produces a valid SPDX SBOM.